A FAST ALGORITHM FOR TESTING REDUCIBILITY OF TRINOMIALS MOD 2 AND SOME NEW PRIMITIVE TRINOMIALS OF DEGREE

Transcription

1 MATHEMATICS OF COMPUTATION Volume 72, Number 243, Pages S (02) Article electronically published on December 18, 2002 A FAST ALGORITHM FOR TESTING REDUCIBILITY OF TRINOMIALS MOD 2 AND SOME NEW PRIMITIVE TRINOMIALS OF DEGREE RICHARD P. BRENT, SAMULI LARVALA, AND PAUL ZIMMERMANN Abstract. The standard algorithm for testing reducibility of a trinomial of prime degree r over GF(2) requires 2r + O(1) bits of memory. We describe a new algorithm which requires only 3r/2+O(1) bits of memory and significantly fewer memory references and bit-operations than the standard algorithm. If 2 r 1 is a Mersenne prime, then an irreducible trinomial of degree r is necessarily primitive. We give primitive trinomials for the Mersenne exponents r = , , and The results for r = extend and correct some computations of Kumada et al. The two results for r = are primitive trinomials of the highest known degree. 1. Introduction Throughout this paper all polynomials are assumed to be in Z 2 [x]. A polynomial P (x)isreducible if it has nontrivial factors; otherwise it is irreducible. Apolynomial P (x) ofdegreer>1isprimitive if P (x) is irreducible and x j 1modP (x) for 0 <j<2 r 1. If P (x) isprimitive,thenx is a generator for the multiplicative group of the field Z 2 [x]/(p (x)), giving a useful representation of GF(2 r ). See Lidl and Niederreiter [16] or Menezes et al. [18] for background information. There is an interest in discovering primitive polynomials of high degree r because of their connection with fast, high-quality pseudorandom number generators of period at least 2 r 1: see [4] and the references given there. In such applications it is desirable to use primitive polynomials with a small number of nonzero terms. In particular, we are interested in trinomials of the form x r + x s +1, where r>s>0. If P (x) is irreducible and deg(p )=r, then the order of x in Z 2 [x]/(p (x)) is a divisor of 2 r 1. To test if P (x) is primitive, we must test if the order of x is exactly 2 r 1. To do this efficiently it appears that we need to know the complete prime factorization of 2 r 1. At the time of writing these factorizations are known for r<673 and certain larger r, see[6]. We say that r is a Mersenne exponent if 2 r 1 is prime. In this case the factorization of 2 r 1 is trivial and an irreducible polynomial of degree r is necessarily Received by the editor July 9, Mathematics Subject Classification. Primary 11B83, 11Y16; Secondary 11-04, 11K35, 11N35, 11R09, 11T06, 11Y55, 12-04, 65Y10, 68Q25. Key words and phrases. Irreducible polynomials, irreducible trinomials, primitive polynomials, primitive trinomials, Mersenne exponents, Mersenne numbers, random number generators c 2002 American Mathematical Society

2 1444 R. P. BRENT, S. LARVALA, AND P. ZIMMERMANN primitive. Large Mersenne exponents are known [8], so there is a possibility of finding primitive trinomials of high degree if we have an efficient algorithm for testing reducibility. Zierler [26] gave all primitive trinomials of Mersenne exponent r Kurita and Matsumoto [14] extended the search to r 86243, and Heringa et al. [10] to r Kumada et al. [12] conducted an exhaustive search for r = and found one primitive trinomial. In this paper we describe a new algorithm for testing reducibility of trinomials of odd degree, and give some results obtained by applying the algorithm to the Mersenne exponents r In particular, we have verified the published results for r , found three new primitive trinomials for r = , found a primitive trinomial for r = which was missed by Kumada et al. [12], and found two new primitive trinomials for r = The search for Mersenne exponents r is now complete. Sieving is discussed in 2. In 3 we describe the standard algorithm for testing reducibility, and in 4 we describe our new algorithm. Some performance figures are given in 5. The computational results are summarised in 6 and Tables 3 4. The reader may wish to refer to the preliminary report [5] for details which are omitted here. 2. Sieving The following theorem characterises the irreducible polynomials of given degree. The proof is well-known, see for example [16]. Theorem 1. Let Φ d,1, Φ d,2,... be the irreducible polynomials of degree d in Z 2 [x]. Then, for n 1, Φ d,j (x) =x 2n + x. d n j Testing a polynomial P (x) for irreducibility is analogous to testing a number N for primality. We can save time by first checking if P (x) is divisible by an irreducible polynomial of low degree, in the same way that we can save time by checking if N is divisible by a small prime. From Theorem 1, we can check if P (x) is divisible by some irreducible polynomial Φ d,j (x) ofdegreed n by computing GCD(P (x),x 2n + x). By analogy with the process of sieving out small integer factors, this process will be called sieving, although the sieve is performed by a GCD computation. We are interested in the case that P (x) =x r + x s +1isatrinomial,r>s>0. Consider the computation of G =GCD(x r + x s +1,x 2n + x). If k =2 n 1, then G =GCD(x r + x s +1,x k + 1). In practice, we distinguish two cases: (1) If r k, we can use the fact that G =GCD(x r + x s +1,x k +1), where r = r mod k, s = s mod k. Thus, for small k the computation of G is trivial. (2) If k > r, the standard Euclidean algorithm would take time O(k 2 )and space Ω(k). We save time and space by first computing x 2n mod P (x) by squaring and reducing n times. Then we apply the Euclidean algorithm to compute G = GCD((x 2n mod P (x)) + x, P (x)). The overall time is O(r(n + r)) and space Ω(r). In practice the GCD computation runs much

3 A FAST ALGORITHM FOR TESTING REDUCIBILITY OF TRINOMIALS 1445 faster than the worst-case bound, because x 2n mod P (x) issparseif2 n /r is not too large. Sieving is performed with n =2, 3, 4,... until one of the following holds: (1) We find a nontrivial GCD, in which case P (x) is reducible. (2) The estimated time T s (n) which would be required to perform another sieving step satisfies nt s (n) T f (r), where T f (r) is the (estimated) time required for the full reducibility test of 4. (3) n>r/2, in which case P (x) is irreducible (in practice, it is unlikely that we sieve this far). For r = , in most cases we sieve for n 24, and sieving takes about 8% of the overall time while eliminating about 93% of trinomials from consideration. The remaining 7% of trinomials require the full reducibility test, which takes about 92% of the total computing time. In 3 4 we assume that a trinomial being tested for reducibility has already survived the sieving phase. 3. The standard algorithm The standard algorithm for testing reducibility of a polynomial P (x) usesthe following theorem, which is an easy consequence of Theorem 1. Theorem 2. Let P (x) Z 2 [x], deg(p )=r>1. ThenP (x) is irreducible iff x 2r = x mod P (x) and, for all d, 1 d<r,ifd r then GCD(x 2d + x, P (x)) = 1. The second condition in Theorem 2 is trivial if the degree r is prime, which is the case in our applications (see 6). Hence, from now on we avoid complications by assuming that r is prime, although the algorithms described here and in 4 can easily be extended to handle the more general case. When r is prime and P (x) is a trinomial, Theorem 2 reduces to Corollary 1. If r>s>0, wherer is prime, then P (x) =x r + x s +1 Z 2 [x] is irreducible iff x 2r = x mod P (x). The obvious implementation of Corollary 1 has a loop, executed r times, consisting of a squaring step A(x) A(x) 2 and a reduction step A(x) A(x) modp (x). Each of these steps can be implemented in Θ(r) bit-operationsandθ(r) space. To consider an implementation in more detail, we assume that the polynomial A(x) =a 0 + a 1 x + + a d x d is represented as a bit-string a 0 a 1...a d. Because we are working in Z 2 [x], the cross terms in A(x) 2 vanish and we have simply A(x) 2 = a 0 + a 1 x a d x 2d, which is represented as a bit-string (with optional zero padding on the right): a 0 0a 1 0a a d 1 0a d. In the following, for clarity we describe algorithms in terms of bit-operations, but an efficient implementation will use word-operations so that several bit-operations can be performed with one machine instruction.

4 1446 R. P. BRENT, S. LARVALA, AND P. ZIMMERMANN 3.1. Squaring. On a byte-addressable machine, the squaring operation can be performed eight bits at a time using a table lookup. We precompute a table of bit integers representing the squares of the 256 possible 8-bit sequences (where the integers encode the coefficients of polynomials in Z 2 [x]). Thus, squaring a polynomial of degree r 1 can be done with r/8 table lookups. We have found that, on some machines, the table lookup method is not the fastest, even if the table size is optimised to give the best results. An alternative on a machine with wordlength w =2 k bits is to perform squaring by a sequence of 2r/w log 2 (w/2) iterations of the logical operations shift right, and. For details see [5] Reduction mod P (x). Reduction of A(x) =a 0 + a 1 x+ + a d x d mod P (x), where P (x) =x r + x s + 1, is performed by a sequence of exclusive or operations (written ). While d =deg(a) r, weseta(x) A(x) (x d + x d+s r + x d r ), since x d + x d+s r + x d r =0modP (x). In terms of bit-operations: for d deg(a) downtor do begin a d r a d r a d ; a d+s r a d+s r a d ; a d 0; {This can be implicit} end. Although complete descriptions are not always given in the original papers, previous computations [9, 10, 12, 14, 20, 21, 24, 26] involving irreducible or primitive trinomials seem to have used some variant of sieving combined with squaring and reduction, much as described above. This is why we call it the standard algorithm. In 4 we describe an improvement which, although mathematically trivial, gives a significant reduction in computing time. 4. The new algorithm The standard algorithm is inefficient because many of the bit-operations are performed on bits which are necessarily zero. Our new algorithm avoids this. We assume that both r and s are odd. This is not a serious restriction. We already assumed that r is prime. If s is even, we simply replace s by r s, because the reciprocal trinomial x r + x r s + 1 is reducible iff x r + x s + 1 is reducible. Before giving the algorithm in the general case, we illustrate with the example r =7,s =3. We initialise A(x) x, i.e., a 0...a The squaring operation is implicit: we keep the bit-vector and regard this as representing a 0 a 2 a 4 a 6 a 8 a 10 a 12 (the odd-numbered coefficients a 1,a 3,... in the square are necessarily zero, so need not be computed). We now reduce mod P (x) = 1 + x 3 + x 7. Observe that x 12 = x 5 + x 8 mod P (x), so we replace a 8 by a 8 a 12. We should also replace a 5 by a 5 a 12, but a 5 is currently zero, so we can simply regard the rightmost bit as representing a 5 rather than a 12. Thus, after the first step of the reduction we have a bit-vector representing a 0 a 2 a 4 a 6 a 8 a 10 a 5,

5 A FAST ALGORITHM FOR TESTING REDUCIBILITY OF TRINOMIALS 1447 where the only bits which could have changed, because they depend on the results of operations, are underlined. Proceeding in a similar fashion, we observe that x 10 = x 3 + x 6 mod P (x), but a 3 = 0, so we replace a 6 by a 6 a 10 and implicitly regard the second bit from the right as representing a 3 rather than a 10. Thus, after the reduction we have a bit-vector representing a 0 a 2 a 4 a 6 a 8 a 3 a 5. One more step of reduction gives a bit-vector representing a 0 a 2 a 4 a 6 a 1 a 3 a 5. Observe that this bit-vector contains the coefficients of A(x) 2 mod P (x), but in a shuffled order. We need to apply an interleave permutation to get back to the natural order a 0 a 1 a 2 a 3 a 4 a 5 a 6. Interleaving is closely related to the squaring operation described in 3.1. In fact, if we square a 0 a 2 a 4 a 6 giving a 0 0a 2 0a 4 0a 6, square and rightshift a 1 a 3 a 5 0 giving 0a 1 0a 3 0a 5 0, and apply a bitwise operation, we obtain a 0 a 1 a 2 a 3 a 4 a 5 a 6.Thus, interleaving can be implemented by squaring and a few additional operations. Two squarings are necessary, but the bit-vectors are only half as long as in 3.1, so the work involved is almost the same. We now describe the new algorithm in terms of bit-operations. To avoid confusion, we denote the working bit-array by b 0 b 1 b r 1. Thisbit-arrayisusedto represent the coefficients a 0 a 1 a r 1 of the polynomial A(x), but not necessarily in the natural order. In a program, only the b-array is required. Let α =(r 1)/2 andδ =(r s)/2. Since r and s are odd, α and δ are integers. Initially we set b 1 1 and the other b j 0torepresentA(x) =x. The algorithm involves a sequence of r steps of (implicit) squaring and reduction followed by interleaving Implicit squaring and reduction. In terms of bit-operations, each squaring and reduction step is implemented by: for j r 1downtoα +1do b j δ b j δ b j. Note that there are only r/2+o(1) bit-operations in the loop, which is a 75% reduction over the 2r + O(1) for the reduction step of the standard algorithm Interleaving. A straightforward implementation of the interleaving step requires another bit-array (say c 0 c 1 c r 1 ) for the result. For example: c 0 b 0 ; for j 1toαdo begin c 2j 1 b j+α ; c 2j b j ; end. We call this a forward interleave because the loop index j increases (there is an analogous backward interleave where the loop index j decreases). We avoid

6 1448 R. P. BRENT, S. LARVALA, AND P. ZIMMERMANN Table 1. Time to test reducibility, c = time(nsec)/r 2, r = processor algorithm compiler/assembler cache size c 300 Mhz Pentium II standard C code (gcc) 512KB 7.86 assembler 6.31 new C code (gcc) 3.54 assembler Mhz Pentium III Mhz Pentium III 256KB Mhz Ultrasparc 10 C code (gcc) large Mhz SGI R12000 C code (cc) Mhz Alpha C code (gcc) 0.60 copying the array c back to b by alternately using the array b and the array c (or by interchanging pointers appropriately). The arrays b and c canoverlap,infactb j can occupy the same memory as c j+α (j =0, 1,...), if we alternate forward and backward interleaves. This reduces the storage requirement from 2r + O(1) bits to 3r/2 +O(1) bits. For details see [5, 4.3]. Partially overlapping the arrays b and c in this manner can improve performance dramatically on machines with memory hierarchies and cache sizes of less than 2r bits, because the working set is reduced in size by 25%. It has little effect on machines with much larger caches. It is possible to perform interleaving using only r + O(1) bits, by splitting the required permutation into a product of cycles. However, it seems difficult to implement such an algorithm efficiently using word-operations. To summarise, the new algorithm has 75% fewer operations than the standard algorithm. Perhaps more significant is the number of memory references, which is reduced by 56%, from 8r/w + O(1) to 3.5r/w + O(1) loads/stores on a machine with w-bit words. Also, the working set size is reduced by 25%, so memory references are more likely to be in the cache. In practice the improvement provided by the new algorithm is at least a factor of two (see Table 1). 5. Performance We expect the running time of our program (excluding sieving) to be T =10 9 cr 2 seconds for a full reducibility test, where c is machine-dependent and approximately constant. In practice, because of cache effects, c is not independent of r. InTable1 we give c for r = on various machines. For IBM PCs (Intel Pentium II and Pentium III) we give the size of the L2 cache (here and below 1KB = 1024 bytes). If the cache size is given as large this means that it is significantly larger than the working set size (3r/2 bits). Since 3r/2 bits is 553KB, the program performs much better on PCs with a 512KB cache than a 256KB cache. The programs run on PCs had inner loops written in assembler, unless otherwise noted. The NASM [23] assembler routines use MMX instructions, which operate on 64-bit registers [11]. The speedup over pure C code is approximately a factor of two. For other machines the possibilities for improving performance by using assembler were minimal, so the program was written purely in C (the times quoted are for the best compiler options,

7 A FAST ALGORITHM FOR TESTING REDUCIBILITY OF TRINOMIALS 1449 Table 2. Time to test reducibility on 300 Mhz Pentium II. r time T (sec) c =10 9 T/r discovered by experiment, using 64-bit integers for SGI and Alpha processors). In Table 1: (1) We compare the standard and new algorithms (both C and assembler implementations) on the same processor. (2) We compare the new algorithm on different Pentium processors. Note the dramatic influence of the cache size on performance an 833 Mhz Pentium III with 256KB cache runs slower than a 300 Mhz Pentium II with a 512KB cache. (3) Finally, we compare the C implementation on some other processors. In Table 2 we show the time for a full reducibility test with our new algorithm and various r on a machine (300 Mhz Pentium II) with 512KB L2 cache. The times given in the table do not include sieving, but this is relatively insignificant (e.g. sieving to n =24forr = takes about 1200 seconds, or 7.4% of the total time). 6. Computational results In Table 3 we give a table of primitive trinomials x r +x s +1, where r is a Mersenne exponent. We assume that 0 < 2s r (the reciprocal trinomial x r + x r s +1 is not listed). To save space we have omitted the entries for r 11213, which are given by Zierler [26], (see also [5, Table 5] and [18, Table 4.9]). Entries with r = ±3 mod 8 are unlikely, since s =2(orr 2) is then the only possibility, by Swan s theorem. 1 In particular, there are no primitive trinomials 2 whose degree is the Mersenne exponent r = 21701, 86243, , , , or The computations for r< have been checked by running at least two different programs on different machines. During this checking process, which confirmed the published results for r<756839, the entry with r = , s = was found. This was a surprise, because Kumada et al. [12] claimed to havesearched the whole range for r = without finding this entry. In fact Kumada et al. missed the entry because of a bug in their sieving routine [13, 17]. 1 Swan s Theorem 1 is a rediscovery of a result of Stickelberger (1897); see Swan [22, p. 1099]. An elementary proof is given by Berlekamp [1, p. 159]. For a generalisation, see Blake [2]. We only need Swan s Corollary 5. 2 Following a suggestion of Blake et al. [3], in all the cases of Mersenne exponent r = ±3 mod8 with 5 <r , we have found trinomials (of degree slightly greater than r) which have a primitive polynomial factor of exact degree r. The cases r<500 were considered in [3, Table 4]. In many applications such trinomials are as useful as primitive trinomials of degree r. Details will appear elsewhere.

8 1450 R. P. BRENT, S. LARVALA, AND P. ZIMMERMANN Table 3. Primitive trinomials with degree a Mersenne exponent. r s Notes , 7083, 9842 Kurita and Matsumoto [14] , 6619, 9739 Kurita and Matsumoto [14] , Kurita and Matsumoto [14] , Heringa et al. [10] , 33912, 41469, 52549, Heringa et al. [10] , , Brent et al. [5] , See text, , Brent et al. [5] The three entries for r = are new (Kumada et al. did not search for this r), as are the two entries for r = The search for r = is complete, but has not been verified by an independent computation, so there is a possibility that a primitive trinomial has been missed due to a machine or programming error. 3 Since the average time for a single reducibility test is O(r 2 ), the time required to test all trinomials of degree r is O(r 3 ). Thus, ignoring the variability of c and the effect of different sieving cutoffs, 4 we expect a search for r = to take about 43 times as long as that for , and a search for r = to take about 12 times as long as that for r = By a theorem of Ore [19], if P (x) =x r + x s + 1 is primitive, then the trinomial P [2] (x) =x 2r 1 + x 2s of degree 2 r 1 is irreducible. 5 Thus, from the entries in Table 3 we can obtain irreducible trinomials of Mersenne prime degree as high as There is a large gap between some of the Mersenne exponents r for which primitive trinomials exist, e.g., none exist in the interval <r< In Table 4 we give some irreducible trinomials to fill this gap. As usual, we only list s r/2. The exponents r were chosen to be close to the arithmetic progression 10 5, , ,... with the constraints that r is prime, 2 r 1iscomposite, and no prime factors of 2 r 1 are known. Such factors are certainly larger than 2 56 : see [8]. The trinomials listed in Table 4 are extremely likely to be primitive, 6 but we are unable to prove primitivity without knowing the factorizations of 2 r 1. There is an interest in finding irreducible trinomials x r + x s +1 with s 2. Heuristic arguments suggest that the number with r n is Θ(log n), and that the number with prime r n is Θ(log log n). Zierler [27] searched for irreducible trinomials x r +x+1 with r 30000, and Fredricksen and Wisniewski [7] searched for 3 The search for r = was completed in April In February 2001 we commenced a search with the next known Mersenne exponent r = ; by February 2002 the search was 26% complete. For information on current status and results, see 4 If the sieving cutoff is Θ(log r), then it is plausible that the overall time is Θ(r 3 / log r). 5 Ore s theorem was rediscovered by Gleason and Marsh, and generalised by Zierler see Golomb [9, 5.4], Lidl [16, Theorem 3.63], and Zierler [25]. 6 There are (2 r 2)/r irreducible polynomials of degree r, andoftheseφ(2 r 1)/r are primitive, so the probability ρ that a randomly chosen irreducible polynomial of degree r is also primitive is φ(2 r 1)/(2 r 2);thisiscloseto1as2 r 1 has no small prime factors. In Table 4, r and the prime factors of 2 r 1 are at least 2 56,so ρ ( ) r/

9 A FAST ALGORITHM FOR TESTING REDUCIBILITY OF TRINOMIALS 1451 Table 4. Some irreducible trinomials with prime degree r. r s Search status , complete , 55224, 95397, 96236, 97575, , , , 10101, , , , , , , , % complete , , % complete irreducible trinomials x r + x 2 +1 with r We have searched for s 2, odd prime r< By Swan s theorem, we have s =1ifr = ±1 mod8,ands =2 if r = ±3 mod 8. In addition to the known odd prime values r =3, 5, 7, 11, 29, 127 (see for example [18, Table 4.6]), we found just one new example: r = 80141, s =2. One further (large) example, r = , is a consequence of Ore s theorem [19] and is discussed by Lenstra and Schoof [15, Lemma 4.1]. Acknowledgments. We thank the users of several workstations at INRIA Lorraine and Oxford University Computing Laboratory for making their idle time available. The Oxford Supercomputing Centre provided time to run the first author s programs on Oscar, an SGI Origin 2000, and Tosca, a PC cluster. Barry Mead and Mark Rodenkirch contributed some CPU cycles. Robert Hedges supplied a copy of [2], and Shuhong Gao kindly provided a preprint of his paper [3]. Mike Yoder drew our attention to [7], and verified our new results with his independentlywritten Ada program. Finally, we thank an anonymous referee for his comments on an earlier version of this paper. References [1] E. R. Berlekamp, Algebraic Coding Theory, McGraw-Hill, New York, MR 38:6873 [2] I. F. Blake, S. Gao and R. J. Lambert, Constructive problems for irreducible polynomials over finite fields, in Information Theory and Applications, Lecture Notes in Computer Science 793, Springer-Verlag, Berlin, 1994, MR 95c:94007 [3] I. F. Blake, S. Gao and R. J. Lambert, Construction and distribution problems for irreducible trinomials over finite fields, Applications of Finite Fields, Oxford Univ. Press, New York, 1996, pp MR 98a:11170 [4] R. P. Brent, Random number generation and simulation on vector and parallel computers (extended abstract), Proc. Fourth Euro-Par Conference, Lecture Notes in Computer Science 1470, Springer-Verlag, Berlin, 1998, [5] R. P. Brent, S. Larvala and P. Zimmermann, A Fast Algorithm for Testing Irreducibility of Trinomials mod 2 (preliminary report), Report PRG- TR-13-00, Oxford University Computing Laboratory, 30 December See

10 1452 R. P. BRENT, S. LARVALA, AND P. ZIMMERMANN [6] J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman, and S. S. Wagstaff, Jr., Factorizations of b n ± 1, b =2, 3, 5, 6, 7, 10, 11, 12 up to high powers, 2nd ed., Amer. Math. Soc., Providence, RI, Updates available from MR 90d:11009 [7] H. Fredricksen and R. Wisniewski, On trinomials x n + x 2 +1 and x 8l±3 + x k + 1 irreducible over GF(2), Inform. and Control 50 (1981), MR 84i:12013 [8] GIMPS, The Great Internet Mersenne Prime Search, [9] S. W. Golomb, Shift register sequences, Holden-Day, San Francisco, MR 39:3906 Revised edition, Aegean Park Press, 1982, ISBN [10] J. R. Heringa, H. W. J. Blöte and A. Compagner. New primitive trinomials of Mersenneexponent degrees for random-number generation, InternationalJ.ofModernPhysicsC 3 (1992), MR 94a:11118 [11] Intel Corporation, MMX Technology Programmer s Reference Manual. Available from [12] T. Kumada, H. Leeb, Y. Kurita and M. Matsumoto, New primitive t-nomials (t = 3, 5) over GF(2) whose degree is a Mersenne exponent, Math. Comp. 69 (2000), MR 2000i:11183 [13] T. Kumada, Y. Kurita and M. Matsumoto, Corrigenda to New primitive t-nomials (t = 3, 5) over GF(2) whose degree is a Mersenne exponent, and some new primitive pentanomials, Math. Comp. 71 (2002), [14] Y. Kurita and M. Matsumoto, Primitive t-nomials (t =3, 5) over GF(2) whose degree is a Mersenne exponent 44497, Math. Comp. 56 (1991), MR 91h:11138 [15] H. W. Lenstra and R. J. Schoof, Primitive normal bases for finite fields, Math. Comp. 48 (1987), MR 88c:11076 [16] R. Lidl and H. Niederreiter, Introduction to Finite Fields and their Applications, Cambridge Univ. Press, Cambridge, second edition, MR 95f:11098 [17] M. Matsumoto, Private communication by , 17 July [18] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, New York, MR99g:94015 [19] O. Ore, Contributions to the theory of finite fields, Trans. Amer. Math. Soc. 36 (1934), [20] E. R. Rodemich and H. Rumsey, Jr., Primitive trinomials of high degree, Math. Comp. 22 (1968), MR 39:177 [21] W. Stahnke, Primitive binary polynomials, Math. Comp. 27 (1973), MR 48:6064 [22] R. G. Swan, Factorization of polynomials over finite fields, Pacific J. Math. 12 (1962), MR 26:2432 [23] S. Tatham and J. Hall, NASM v0.98, the Netwide Assembler, available from [24] E. J. Watson, Primitive polynomials (mod 2), Math. Comp. 16 (1962), MR 26:5764 [25] N. Zierler, On the theorem of Gleason and Marsh, Proc. Amer. Math. Soc. 9 (1958), MR 20:851 [26] N. Zierler, Primitive trinomials whose degree is a Mersenne exponent, Inform. and Control 15 (1969), MR 39:5522 [27] N. Zierler, On x n + x + 1 over GF(2), Inform. and Control 16 (1970), MR 42:5955 Oxford University Computing Laboratory, Wolfson Building, Parks Road, Oxford, OX1 3QD, England address: Richard.Brent@comlab.ox.ac.uk Helsinki University of Technology, Espoo, Finland address: slarvala@cc.hut.fi LORIA/INRIA Lorraine, 615 rue du jardin botanique, BP 101, F Villers-lès- Nancy, France address: Paul.Zimmermann@loria.fr